Utility authorities for Db2 catalog and directory

The Db2 catalog is in the DSNDB06 database. Authorities that are granted on DSNDB06 also cover database DSNDB01, which contains the Db2 directory.

An ID with ACCESSCTRL or SECADM authority can control access to the catalog in the following ways:

By granting privileges or authorities on that database or on its tables or views
By binding plans or packages that access the catalog

An ID with ACCESSCTRL or SECADM authority can control access to the directory by granting privileges to run utilities on DSNDB06, but that ID cannot grant privileges on DSNDB01 directly.

An ID with ACCESSCTRL authority can run the UNLOAD utility on tables in DSNDB06.

The following table shows the utilities IDs with different authorities that can run on the DSNDB01 and DSNDB06 databases. Do not run REPAIR DBD against DSNDB01 and DSNDB06 because they are system databases; you will receive a system restriction violation message if you do. Also, you can use the LOAD utility to add lines to SYSIBM.SYSSTRINGS, but you cannot run it on other DSNDB01 or DSNDB06 tables.

Table 1. Utility privileges on the Db2 catalog and directory
Utilities	Installation SYSOPR, SYSCTRL, SYSADM, Installation SYSADM	DBCTRL, DBADM on DSNDB06	DBMAINT on DSNDB06	System DBADM	DATAACCESS	SQLADM
LOAD	No	No	No	No	No	No
REPAIR DBD	No	No	No	No	No	No
CHECK DATA	Yes	No	No	No	Yes	No
CHECK LOB	Yes	No	No	Yes	No	No
REORG TABLESPACE	Yes	No	No	No	Yes	No
STOSPACE	Yes	No	No	No	No	No
REBUILD INDEX	Yes	Yes	No	Yes	Yes	No
RECOVER	Yes	Yes	No	Yes	Yes	No
REORG INDEX	Yes	Yes	No	No	Yes	No
REPAIR	Yes	Yes	No	No	Yes	No
REPORT	Yes	Yes	No	Yes	Yes	No
CHECK INDEX	Yes	Yes	Yes	Yes	No	No
COPY	Yes	Yes	Yes	Yes	No	No
MERGECOPY	Yes	Yes	Yes	Yes	No	No
MODIFY	Yes	Yes	Yes	Yes	No	No
QUIESCE	Yes	Yes	Yes	Yes	No	No
RUNSTATS	Yes	Yes	Yes	Yes	No	Yes
UNLOAD	No	No	No	Yes	Yes	Yes